A newly discovered security hole in Microsoft’s Internet Explorer–the default Web browser for many users–could be particularly troubling for those still running Windows XP.

Microsoft on Sunday warned about hacking attacks against versions six through 11 of its flagship browser. If exploited, the coding flaw would allow hackers to have the same level of access on a network computer as the official user. That’s really bad.

FireEye, a security company that claimed credit for finding the hole, said it is part of a hacking campaign against U.S. financial and defense companies but wouldn’t elaborate. The company said attacks mainly are targeted at Internet Explorer 9 through Internet Explorer 11.

The bug affects the browser when used on multiple Microsoft operating systems. But the situation poses a special concern for people still using Windows XP.

The software was introduced in 2001, and Microsoft on April 8 stopped supporting XP with software updates–including security patches for the operating system and its browser. XP can run up to Internet Explorer 8.

“XP users are not safe anymore and this is the first vulnerability that will be not patched for their system,” Symantec researcher Christian Tripputi wrote in a company blog post.

The operating system, though outdated and plagued with security flaws, still runs on some 300 million machines. The Redmond, Wash., tech giant offers extended support for corporate clients still running XP but at a hefty price.

Microsoft, despite its past statements, could decide to make an exception and issue a patch that would aid XP users. The company didn’t immediately respond to a request for comment.

“On completion of this investigation, Microsoft will take the appropriate action to protect our customers,” Microsoft said in a security bulletin.

Sunday’s disclosure, to a certain extent, was predictable. Microsoft had publicized widely its plans to stop supporting XP, and the dire consequences for some users were well-known.

But it’s not clear if anyone expected a major XP flaw to be found three weeks after Microsoft ended support.

Morgan Marquis-Boire, a well-known security researcher, posted a link to Symentec’s warning on his Twitter account Sunday, indicating he expected furor to result by including the phrase “*gets popcorn*.”